TrendMicro writes in its blog about malware's abuse of DoubleClick's Open Redirects. The Trend Micro Advanced Threat Research has discovered a number of malicious URLs under the domain of DoubleClick, global Internet advertising company.
All found links are leading to the file msvideoc.exe which causes the affected system to connect to a remote site. Upon connection it downloads a file which Trend Micro detects as TROJ_DLOAD.DI. This file in turn downloads a file detected as TROJ_MUTANT.GC. Following list of DoubleClick links are already blocked.
- hxtp://ad.doubleclick.net/click;h=ADWAJJzSVGmEDCBbJkMiTUfmdIhuADWAJJzS;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aHPDZwqljHnlNScXoBJgzRzaFppDaHPDZwql;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=ahRQJQoWHYpFFYzgAFizZJdQnlgvahRQJQoW;~ss cs=%3fhttp://www.{BLOCKED}otel.eu/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aKXFNafnFbXukmAZjmqAhawpjVYYaKXFNafn;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aMwjNqwdSMZFJUDKSnOUSUwsRiQLaMwjNqwd;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=AMZEPQvqcklBUaAiRxzguoHmlydDAMZEPQvq;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
This kind of methods make it harder for antispam to identify the links malicious since the redirector is under a legitimate domain. Also, familiar-looking domain at the beginning of the URL makes the link look legitimate by a quick look. However, the ending of the URL shows that its far from legit.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment